Different Services, Different Realms, but One Host

Sam Hartman hartmans at MIT.EDU
Tue Mar 9 12:08:32 EST 2004


>>>>> "ms419" == ms419  <ms419 at freezone.co.uk> writes:

    ms419> Pardon this newbish question, but here's the setup: I want
    ms419> to distribute the keys for one host among two
    ms419> realms. Basically, I've got a sensitive service running on
    ms419> a couple of hosts, and a less secure service running on the
    ms419> same hosts. I want to store the keys for the sensitive
    ms419> service in one realm, and the keys for the others in
    ms419> another. Any problems with these premises?

Yes.  Current Kerberos implementations assume a host belongs to one
realm.  You'll find it difficult to actually do this.

Also, users will end up having multiple passwords which will be
annoying.

I recommend having one KDC which is more secure than your most
sensitive service.



More information about the Kerberos mailing list